Alert: Wormable Flaw in Remote Desktop Services Could Result in New WannaCry-Like Outbreak

RDP Vulnerability - many Laptops

With exploitation “highly likely,” Microsoft is urging Windows users to patch now and has even issued fixes for out-of-support versions including Windows 2003 and Windows XP.
This month’s Patch Tuesday was a doozy. The lineup included a number of vulnerabilities deserving of headliner status, from a flaw in WhatsApp exploited to install spyware to a bug that could allow attackers to bypass the secure boot process on every enterprise Cisco router released since 2013.

Oh, then there’s the fresh side-channel attack — called “ZombieLoad” complete with website and logo — affecting almost every computer with an Intel chip dating back to 2011. Like the Meltdown and Spectre bugs that caused such a ruckus in early 2018, ZombieLoad takes advantage of modern processors’ reliance on speculative execution to run faster and more efficiently. Successfully exploiting ZombieLand can result in leaking data such as passwords, access tokens, and the websites a user is visiting in real-time.

As with Meltdown and Spectre, however, while the scope of the flaw is huge and the potential impact massive, the actual likelihood of attackers leveraging it in the real world is relatively low, especially compared to another vulnerability disclosed on Tuesday that’s getting less press.

While it may not have a catchy name or dedicated website, CVE-2019-0708 — a vulnerability in Microsoft’s Remote Desktop Services — is arguably THE top vulnerability in this murderers’ row of flaws you should be most worried about.

To be clear, all of these vulnerabilities deserve patching, but if you’re looking to prioritize this post will explain why you should start with it first.

What’s the vulnerability?

CVE-2019-0708 is a remote code execution (RCE) vulnerability in Remote Desktop Services that allows an unauthenticated attacker to execute arbitrary code on a target system by sending a specially crafted request via RDP.

Why is it dangerous?

RCEs are never good, but the thing that should really set your Spidey sense tingling is the term in bold below.

“This vulnerability is “wormable,” meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

Simon Pope, Director of Incident Response, Microsoft Security Response Center

 

For those with blessedly short memories, the WannaCry ransomware outbreak saw more than 200,000 computers across 150 countries infected with data-encrypting malware, with total damages estimated to be in the billions. The infection cost the UK’s National Health Service alone nearly £100m.

WannaCry spread rapidly across systems using an exploit called EternalBlue (purportedly developed by the NSA) that targeted a vulnerability in Microsoft’s Server Message Block (SMB) protocol. Like SMB, RDP provides a built-in method of connecting to devices within a network, making it a favorite target for exploitation. Case in point: Included in the same group of leaked exploits along with EternalBlue was an exploit called EsteemAudit, which targeted a flaw in Microsoft’s handling of RDP.

In fact, there has been a long history of Microsoft security updates related to Remote Desktop Services and RDP, with more than 24 separate CVEs issued since 2002. Criminals have also routinely taken advantage of systems with RDP exposed to the Internet to conduct brute force attacks and infect victims with ransomware and other malware.

Making sure RDP isn’t exposed has become standard security 101, yet millions of systems are doing exactly that. The large number of exposed, vulnerable systems combined with the ease of exploitation and the fact that no user interaction is required make this an absolutely critical vulnerability to patch.

The good news is no real PoC has been made public yet, but some experts estimate a working exploit could be released in a matter of days.

What systems are affected?

The good news is newer versions of Windows including Windows 8 and Windows 10 are NOT vulnerable.

Other mitigations

According to Microsoft, enabling Network Level Authentication (NLA) can provide partial mitigation, though it unfortunately won’t help if an attacker has obtained valid credentials (via brute force attack, purchasing them on a dark web marketplace, etc.).

While patching is the only sure-fire way to address this vulnerability, it’s also a good time to ensure you’ve taken steps to properly secure RDP throughout your client networks. Here are two great resources that can help:

 

Are you checking all the right boxes to protect your customers from cyber attacks?

Download our 2019 MSP Cybersecurity Checklist here.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).